WordPress.org

Make WordPress Core

Changeset 5402


Ignore:
Timestamp:
05/07/2007 02:16:03 AM (11 years ago)
Author:
ryan
Message:

attribute_escape for widgets. see #4169

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-includes/widgets.php

    r5398 r5402  
    339339        update_option('widget_pages', $options);
    340340    }
    341     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     341    $title = attribute_escape($options['title']);
    342342?>
    343343            <p><label for="pages-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="pages-title" name="pages-title" type="text" value="<?php echo $title; ?>" /></label></p>
     
    368368            <div>
    369369            <input type="text" name="s" id="s" size="15" /><br />
    370             <input type="submit" value="<?php _e('Search'); ?>" />
     370            <input type="submit" value="<?php echo attribute_escape(__('Search')); ?>" />
    371371            </div>
    372372            </form>
     
    387387    if($d) {
    388388?>
    389         <select name="archive-dropdown" onChange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php _e('Select Month'); ?></option> <?php wp_get_archives('type=monthly&format=option'); ?> </select>
     389        <select name="archive-dropdown" onChange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php echo attribute_escape(__('Select Month')); ?></option> <?php wp_get_archives('type=monthly&format=option'); ?> </select>
    390390<?php   
    391391    } else {
     
    413413    $count = $options['count'] ? 'checked="checked"' : '';
    414414    $dropdown = $options['dropdown'] ? 'checked="checked"' : '';
    415     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     415    $title = attribute_escape($options['title']);
    416416?>
    417417            <p><label for="archives-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="archives-title" name="archives-title" type="text" value="<?php echo $title; ?>" /></label></p>
     
    432432            <?php wp_register(); ?>
    433433            <li><?php wp_loginout(); ?></li>
    434             <li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php _e('Syndicate this site using RSS 2.0'); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
    435             <li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php _e('The latest comments to all posts in RSS'); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
    436             <li><a href="http://wordpress.org/" title="<?php _e('Powered by WordPress, state-of-the-art semantic personal publishing platform.'); ?>">WordPress.org</a></li>
     434            <li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php echo attribute_escape(__('Syndicate this site using RSS 2.0')); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
     435            <li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php echo attribute_escape(__('The latest comments to all posts in RSS')); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
     436            <li><a href="http://wordpress.org/" title="<?php echo attribute_escape(__('Powered by WordPress, state-of-the-art semantic personal publishing platform.')); ?>">WordPress.org</a></li>
    437437            <?php wp_meta(); ?>
    438438            </ul>
     
    449449        update_option('widget_meta', $options);
    450450    }
    451     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     451    $title = attribute_escape($options['title']);
    452452?>
    453453            <p><label for="meta-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="meta-title" name="meta-title" type="text" value="<?php echo $title; ?>" /></label></p>
     
    477477        update_option('widget_calendar', $options);
    478478    }
    479     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     479    $title = attribute_escape($options['title']);
    480480?>
    481481            <p><label for="calendar-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="calendar-title" name="calendar-title" type="text" value="<?php echo $title; ?>" /></label></p>
     
    513513        update_option('widget_text', $options);
    514514    }
    515     $title = htmlspecialchars($options[$number]['title'], ENT_QUOTES);
    516     $text = htmlspecialchars($options[$number]['text'], ENT_QUOTES);
     515    $title = attribute_escape($options[$number]['title']);
     516    $text = attribute_escape($options[$number]['text']);
    517517?>
    518518            <input style="width: 450px;" id="text-title-<?php echo "$number"; ?>" name="text-title-<?php echo "$number"; ?>" type="text" value="<?php echo $title; ?>" />
     
    547547<?php for ( $i = 1; $i < 10; ++$i ) echo "<option value='$i' ".($options['number']==$i ? "selected='selected'" : '').">$i</option>"; ?>
    548548            </select>
    549             <span class="submit"><input type="submit" name="text-number-submit" id="text-number-submit" value="<?php _e('Save'); ?>" /></span></p>
     549            <span class="submit"><input type="submit" name="text-number-submit" id="text-number-submit" value="<?php echo attribute_escape(__('Save')); ?>" /></span></p>
    550550        </form>
    551551    </div>
     
    624624    $hierarchical = $options['hierarchical'] ? 'checked="checked"' : '';
    625625    $dropdown = $options['dropdown'] ? 'checked="checked"' : '';
    626     $title = wp_specialchars($options['title']);
     626    $title = attribute_escape($options['title']);
    627627?>
    628628            <p><label for="categories-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="categories-title" name="categories-title" type="text" value="<?php echo $title; ?>" /></label></p>
     
    683683        wp_flush_widget_recent_entries();
    684684    }
    685     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     685    $title = attribute_escape($options['title']);
    686686    if ( !$number = (int) $options['number'] )
    687687        $number = 5;
     
    738738        wp_delete_recent_comments_cache();
    739739    }
    740     $title = htmlspecialchars($options['title'], ENT_QUOTES);
     740    $title = attribute_escape($options['title']);
    741741    if ( !$number = (int) $options['number'] )
    742742        $number = 5;
     
    779779        return;
    780780    $rss = fetch_rss($url);
    781     $link = wp_specialchars(strip_tags($rss->channel['link']), 1);
     781    $link = clean_url(strip_tags($rss->channel['link']));
    782782    while ( strstr($link, 'http') != $link )
    783783        $link = substr($link, 1);
    784     $desc = wp_specialchars(strip_tags(html_entity_decode($rss->channel['description'], ENT_QUOTES)), 1);
     784    $desc = attribute_escape(strip_tags(html_entity_decode($rss->channel['description'], ENT_QUOTES)));
    785785    $title = $options[$number]['title'];
    786786    if ( empty($title) )
     
    790790    if ( empty($title) )
    791791        $title = __('Unknown Feed');
    792     $url = wp_specialchars(strip_tags($url), 1);
     792    $url = clean_url(strip_tags($url));
    793793    if ( file_exists(dirname(__FILE__) . '/rss.png') )
    794794        $icon = str_replace(ABSPATH, get_option('siteurl').'/', dirname(__FILE__)) . '/rss.png';
    795795    else
    796796        $icon = get_option('siteurl').'/wp-includes/images/rss.png';
    797     $title = "<a class='rsswidget' href='$url' title='Syndicate this content'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
     797    $title = "<a class='rsswidget' href='$url' title='" . attribute_escape(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
    798798?>
    799799        <?php echo $before_widget; ?>
     
    806806            while ( strstr($item['link'], 'http') != $item['link'] )
    807807                $item['link'] = substr($item['link'], 1);
    808             $link = wp_specialchars(strip_tags($item['link']), 1);
    809             $title = wp_specialchars(strip_tags($item['title']), 1);
     808            $link = clean_url(strip_tags($item['link']));
     809            $title = attribute_escape(strip_tags($item['title']));
    810810            if ( empty($title) )
    811811                $title = __('Untitled');
     
    815815            } else {
    816816                if ( isset( $item['description'] ) && is_string( $item['description'] ) )
    817                     $desc = str_replace(array("\n", "\r"), ' ', wp_specialchars(strip_tags(html_entity_decode($item['description'], ENT_QUOTES)), 1));
     817                    $desc = str_replace(array("\n", "\r"), ' ', attribute_escape(strip_tags(html_entity_decode($item['description'], ENT_QUOTES))));
    818818                $summary = '';
    819819            }
     
    833833    if ( $_POST["rss-submit-$number"] ) {
    834834        $newoptions[$number]['items'] = (int) $_POST["rss-items-$number"];
    835         $url = strip_tags(stripslashes($_POST["rss-url-$number"]));
     835        $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])));
    836836        $newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"])));
    837837        if ( $url !== $options[$number]['url'] ) {
     
    852852        update_option('widget_rss', $options);
    853853    }
    854     $url = htmlspecialchars($options[$number]['url'], ENT_QUOTES);
     854    $url = attribute_escape($options[$number]['url']);
    855855    $items = (int) $options[$number]['items'];
    856     $title = htmlspecialchars($options[$number]['title'], ENT_QUOTES);
     856    $title = attribute_escape($options[$number]['title']);
    857857    if ( empty($items) || $items < 1 ) $items = 10;
    858858?>
     
    891891<?php for ( $i = 1; $i < 10; ++$i ) echo "<option value='$i' ".($options['number']==$i ? "selected='selected'" : '').">$i</option>"; ?>
    892892            </select>
    893             <span class="submit"><input type="submit" name="rss-number-submit" id="rss-number-submit" value="<?php _e('Save'); ?>" /></span></p>
     893            <span class="submit"><input type="submit" name="rss-number-submit" id="rss-number-submit" value="<?php echo attribute_escape(__('Save')); ?>" /></span></p>
    894894        </form>
    895895    </div>
Note: See TracChangeset for help on using the changeset viewer.